News Stay informed about the latest enterprise technology news and product updates.

Common security mistakes

Security expert Stephen Mencik's list of the Top 10 security mistakes might surprise you. He says crack IT teams constantly overlook the simplest of preventative measures.

Carelessness with the most basic IT security procedures leaves vital information vulnerable to attack every day, according to information security expert Stephen Mencik.

"Many times, companies hire people that are good at IT, but they don't have the training to understand the existing security problems," Mencik said. "They're experts at things other than security."

Mencik, a senior engineer for Burlington, Mass.-based ACS Defense Inc., has worked in computer and network security since 1981 and was a charter member of the Department of Defense Computer Security Center. As a Certified Information Systems Security Professional, Mencik advises clients on the most common and complex security procedures.

A scheduled speaker at TechTarget's Information Security magazine's Security Decisions Conference in October, Mencik will advise attendees on how to make information security assessments based on the methodology developed by the National Security Agency. In an interview with, Mencik provided a list of the top 10 ways he sees IT teams get into trouble.

1. Failing to change the administrator password once the system is up and running. Many times IT professionals are so happy to get the system running properly that, months later, they discover the password is still "admin."

2. Failing to assign different access levels to users. Some small and even midsized companies give every employee administrative access to the company database, opening critical information to everyone in the company. Access controls are key.

3. Failing to properly back up system information. Frequency is the name of the game. The number of backups depends on how critical the data is and how often it changes. In most companies, the information should be backed up every day.

4. Running too many types of applications on the same server. There's no reason why a company should run its database on its mail or Web server. Attacks geared at a mail server won't have access to the database if it's on a different server.

5. Failing to install security patches provided by the software vendor. Companies should make sure they are on software vendors' mailing lists and be up to date on any security advisories that are released. Patches should be tested with an offline replica of the system. Offline testing requires more hardware than some businesses own, but it's crucial to good security.

6. Failing to create a company security policy and failing to educate employees. Companies serious about securing their database information should provide training to their employees. Some employees have their names and passwords written on Post-it notes stuck to their computers. Forcing employees to change their password every 60 to 90 days is a simple way to counter that sort of sloppiness.

7. Forgetting to run an audit. Companies often fail to audit their servers, or they don't know what to look for when they do conduct audits. A person trained to find anomalies, such as a certain user name with a lot of password failures, can often catch who is trying to break into the system.

8. Inadequate contingency planning. Many businesses fail to place backup tapes in a secure area. Fire or water damage could cause a company to loose both its primary and backup information if the backup tape isn't stored properly. Buy a safe.

9. Letting the office sprinkler system soak the server. Most offices have a sprinkler system to reduce the spread of fire -- which is a good thing. These systems often damage computer equipment and wipe out critical information -- which is a bad thing. When installing a system for the first time, consider the physical environment and prepare a special computer room with the proper fire suppression equipment.

10. Neglecting the antivirus software. Getting automatic updates will reduce the number of viruses that attack a computer system. Many companies are running software that is dated. Run antivirus software on the e-mail server to check messages that come in before they hit company computers. Use desktop antivirus software only as a backup.


Find out more about Information Security magazine's Security Decisions Conference.

Check out a Featured Topic on Database Security.

Check out a Featured Topic on Backup and Recovery.

To provide your feedback on this article, contact Robert Westervelt.

Dig Deeper on SQL Server Security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.